Skip to content

viorelyo/Procmonel

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
ProcMonelFilter
ProcMonelFilter
 
 
README.md
README.md
 
 

Repository files navigation

Procmonel

Procmonel is Procmon like monitoring system implemented using Microsoft WDK.

Architecture

  • Kernel Mode Filter Driver that registers to kernel notifications
  • Console Application for sending user commands to kernel driver and to receive driver notifications

Features

Kernel mode filter registers to following notifications:

  1. Process Notification Routine
    a. Create
    b. Terminate
  2. Thread Notification Routine
    a. Create
    b. Terminate
  3. Image Notification Routine
    a. Image load inside a process (.dll)
  4. Registry Notification Routine
    a. Create
    b. Set Value
    c. Delete Key
    d. Delete Value
  5. File operations
    a. Create
    b. Close
    c. Cleanup
    d. Read
    e. Write
    f. Set Attributes

Built with

  • C
  • WDK (Windows Driver Kit)
  • Win32API
  • Microsoft Visual Studio

Setup

  1. Compile project for x64 platform
  2. Test filter driver using WinDbg and connect to remote machine
  3. Copy the output of compiled project including .sys, Setup Information and Security Certificate files
  4. Install the driver by right-clicking on the .sys file and selecting Install

Usage

  • User is allowed to input exit command to stop monitoring
  • Console Application shows notifications from the driver in following form:

ProcMonel: [Time] | [Operation] | [PID] | [Path] | [Result] | [Details] |

About

Procmonel is Procmon like monitoring system implemented using Microsoft WDK

Topics

microsoft c kernel minifilter-driver win32api wdk procmon windows-driver

Resources

Readme
Activity

Stars

12 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages